Identity without boundaries

Turning the inside out

Identity and security used to be about boundaries; whether you were inside, or not. Inside the network, or not. Inside the company, or not. Inside the domain, or not. Dealing with the outside was hard: extranet access via a rack (or two) full of DMZ-hosted directory and remote access servers; collaboration with external employees and partners via file-sharing or email, with and (more commonly) without encryption; establishing (and maintaining) Trusts or Federation relationships with external organizations via a Federation solution of your choice. All of this while trying to maintain a firewall to protect the Inside from the outside.

And once the access has been established, how is it controlled? If you are from the inside, your account and its permissions are established, but if you are from the outside, you have no account inside, so you either have to get one (how? Do I really have to do the administration?) or your security is handled by approximating your identity using somewhat generic claims.

Solutions aimed at solving these problems are also shaped by inside and outside thinking. Commonly, for example, solutions are used which aim to increase the trustworthiness of a login by using multi-factor authentication (MFA): as well as requiring a password, adding a second factor like a code from a software or hardware token, or a phone call or SMS to my mobile. But these solutions often straddle the perimeter – to get access from the outside you have to provide the code. Such point-solutions are fine at that single point – but how about generally applying this increase in trustworthiness for important activities? Why can’t I get my Domain Administrators to use MFA for their logins, even when in the internal network? In this case, our inside/outside thinking has got in our own way. In addition, because these are point-solutions, rather than generic solutions, there tend to be a lot of them, from different vendors, with many interfaces and integrations gluing them together.

Increasingly, security solutions are being designed without this simple inside/outside dichotomy. MFA solutions have to be available both inside and outside. Secure sharing solutions have to work as if there is no boundary. Email and Collaboration platforms have to be equally accessible, equally securely, for insiders and outsiders. This is not to say that we are unrealistically pretending that there is no such thing as inside and outside (after all, we still have on-premises data centers as well as systems in the public Internet or cloud) – it is more that these terms are simply ways of thinking about Location, which is only one of the many parameters which we use to consider trustworthiness for conditional access to systems, for example:

  • Access from Trusted/Untrusted location
  • Access from Managed/Unmanaged device
  • Access by weakly/strongly verified identity
  • Access at normal/abnormal time

Which brings me to my point: Microsoft has provided us with an unprecedented set of tools to manage identity and security without specific reference to boundaries. They are the features provided by the Active Directory ecosystem, whether hosted in Azure as Azure Active Directory (AAD) or on-premises on Windows Server as Active Directory Domain Services. We refer to them as Hybrid Identity and Access tools – “Hybrid” is the reference to the fact that the solution works seamlessly with “inside” and “outside” systems, i.e. on-premises and cloud-based, and they bring together all the elements of trust (and more still) that I listed just above. In addition, for the first time, with the introduction of business-to-business (B2B) integration, we can truly collaborate with other organizations by using specific identities, which we do not have to manage, granting specific permissions to specific individuals: truly turning the inside out.